Ajar Rab

Arbitration proceedings no longer need “venue” as proceedings are taking place remotely. At the same time, the venue of arbitration may be more significant than it has ever been before due compliance requirements with data protection laws.

There has been a lot of euphoria around moving arbitration proceeding online. From video hearings to cloud storage for documents, there is a myriad of unexplored opportunities to save time and cost in arbitration proceedings. While arbitrators continue to discuss the pros and cons of a physical hearing versus a virtual hearing, fair and equitable treatment of the parties versus an efficient hearing, data protection laws are lurking in the shadows to spoil these laudable endeavors.

Until now, courts have continued to grapple with questions of “seat” versus “venue” and their effect on arbitration proceedings. It is a settled view that “the place of arbitration” or “venue” has no legal significance to arbitration proceedings apart from being a convenient place for the conduct of the hearing. However, with online hearings, the concept may be about to change.

Data protection laws such as the proposed Personal Data Protection Bill, 2019 (“Bill”), and the General Data Protection Regulation (“GDPR”), require compliance with anybody handling or receiving data or ‘personal data’ (Section 4 of the Bill) i.e., email address, postal address, IP address or any information relating to an identified person. In essence, ‘personal data’ would include any information which can identify a person, directly or indirectly (Section 2(28) of the Bill). Hence, details of parties, employees, witnesses, tribunal secretaries’, documents containing personal data etc. would fall within the Bill and the GDPR. Though the Bill and the data protection laws of other countries may not be strict as GDPR, nonetheless, the philosophy they employ remains largely the same. In essence, data protection laws, apply to any data, received by any person who is resident in a jurisdiction to which such laws apply.

In arbitration, data protection laws do not apply to the proceedings per se, but to all arbitration participants involved in the arbitration. Therefore, in a hearing between a sole arbitrator located in Germany, one party in Singapore and the other in India it is unclear who bears the responsibility for handling the data. Add to this a list of tribunal secretaries, institutions, witnesses, or a three-member tribunal. 

Institutions such as the International Chamber of Commerce have come out with cyber protocols, Chartered Institute of Arbitrators has come out with guidelines for remote hearing, and the Hong Kong International Arbitration Centre is offering secure platforms to enhance arbitral efficacy further, but the larger question remains as to who is responsible for compliance with data protection laws? More importantly, how many of such laws? And what is the probable result of non-compliance in any one of them?

One view to such a question may be that each party, i.e., the arbitral institutions, the secretary, the arbitrator, the parties and everyone connected with the arbitration, including witnesses bears such responsibilities. If such a view were to be accepted then who is to bear the cost of compliance? Will ensuring compliance not cause further delay? Hence, the initial potential on time and cost savings due to online hearings may be a little too optimistic. 

The other view may be that such questions pertain entirely to mandatory law. Hence, concerns over non-compliance would be relevant only with respect to the data protection laws of the lex fori. Does this mean that parties in all other jurisdiction can ignore data protection laws, despite being mandatory law?

A question tied to compliance is whether arbitrators bear the obligation to inform parties of their obligation to comply with the data protection laws in their respective jurisdictions. If yes, each jurisdiction, in effect, becomes the “venue” of arbitration and now has legal significance. Furthermore, if the arbitrators fail to exercise such diligence can they continue to claim immunity under the lex arbitri or should they seek an insurance against, any or all liabilities arising out of non-compliance of data protection laws in arbitration proceedings?

Another spoiler to the euphoria of ‘remote hearings’ is the possibility of abuse by one party deliberately refusing online hearing under the pretext of not intending to take the liability of compliance with data protection law. In such cases, can the arbitral tribunal continue online hearing in the interest of fair and efficient proceeding at the cost of the award being challenged?

The intent behind raising these concerns is not to diminish the enthusiasm with which arbitral institutes, arbitrators and parties are trying to find solutions in these challenging times. Instead, the intent is to raise orange flags about potential compliances with data protection laws that may arise in each jurisdiction, where any arbitration participant may fall within the definition of “data processor” under Section 2(15) of the Bill which specifically includes collection, recording, organisation, storage, use, indexing of data within the definition of ‘processing’ under Section 2(31), or “data controller” under the GDPR.

Therefore, the arbitration community collectively needs to address concerns for compliance with data protection laws apart from data security and confidentiality alone. One possible interpretation could be to take resort to the exceptions under Section 12 to 14 of the Bill and the GDPR i.e, (i) compliance with the legal obligations [ Article 6 (1) (c) of GDPR], (ii) vital interest [ Article 6 (1) (d) of GDPR] and (iii) legitimate interest [Article 6 (1) (f) of GDPR]. However, whether similar exemptions are available under different data protection laws and how the regulators and courts will interpret, only time will tell.

The other alternative may be to provide for a transnational data protection law which can be applied to arbitration proceedings. This may entail possible amendments to the Model Law or a de novo convention dealing with data protection in arbitration. However, this can only happen if countries agree to sign such convention or adopt such amendments and create exceptions to their own mandatory data protection laws in favour of arbitral efficacy. Such a possibility is grim, if not impossible.

Therefore, despite the noble intent of saving time and costs by moving arbitration practice and proceedings online, data protection compliances may, in turn, risk enforceability of arbitral award for non-compliance with mandatory law or Lois de police.

Ironically, arbitration proceedings no longer need “venue” as proceedings are taking place remotely. At the same time, the venue of arbitration may be more significant than it has ever been before due compliance requirements with data protection laws.

The Author is Partner at Rab & Rab Associates LLP and  Visiting Professor at NLSIU Bangalore.